REST API: Add dimension validation to sideload endpoint.

Validates uploaded image dimensions against expected size constraints
in the wp/v2/media/<id>/sideload endpoint. This prevents users from
uploading incorrectly-sized images for a specified image size.

Validation rules:
- 'original' size: must match original attachment dimensions exactly.
- 'full' and 'scaled' sizes: requires positive dimensions only.
- Regular sizes: dimensions must not exceed registered size maximums
  (with 1px tolerance for rounding differences).

Also adds two new test cases for dimension validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: adamsilverstein

src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

@@ -1968,6 +1968,114 @@ public function sideload_item_permissions_check( $request ) {
 		return $this->edit_media_item_permissions_check( $request );
 	}
 
+	/**
+	 * Validates that uploaded image dimensions are appropriate for the specified image size.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param int    $width         Uploaded image width.
+	 * @param int    $height        Uploaded image height.
+	 * @param string $image_size    The target image size name.
+	 * @param int    $attachment_id The attachment ID.
+	 * @return true|WP_Error True if valid, WP_Error if invalid.
+	 */
+	private function validate_image_dimensions( int $width, int $height, string $image_size, int $attachment_id ) {
+		// 'original' size: should match original attachment dimensions.
+		if ( 'original' === $image_size ) {
+			$metadata = wp_get_attachment_metadata( $attachment_id, true );
+			if ( is_array( $metadata ) && isset( $metadata['width'], $metadata['height'] ) ) {
+				$expected_width  = (int) $metadata['width'];
+				$expected_height = (int) $metadata['height'];
+
+				if ( $width !== $expected_width || $height !== $expected_height ) {
+					return new WP_Error(
+						'rest_upload_dimension_mismatch',
+						sprintf(
+							/* translators: 1: Expected width, 2: expected height, 3: actual width, 4: actual height. */
+							__( 'Uploaded image dimensions (%3$dx%4$d) do not match original image dimensions (%1$dx%2$d).' ),
+							$expected_width,
+							$expected_height,
+							$width,
+							$height
+						),
+						array( 'status' => 400 )
+					);
+				}
+			}
+			return true;
+		}
+
+		// 'full' size (PDF thumbnails) and 'scaled': dimensions must be positive.
+		if ( 'full' === $image_size || 'scaled' === $image_size ) {
+			if ( $width <= 0 || $height <= 0 ) {
+				return new WP_Error(
+					'rest_upload_invalid_dimensions',
+					__( 'Uploaded image must have positive dimensions.' ),
+					array( 'status' => 400 )
+				);
+			}
+			return true;
+		}
+
+		// Regular image sizes: validate against registered size constraints.
+		$registered_sizes = wp_get_registered_image_subsizes();
+
+		if ( ! isset( $registered_sizes[ $image_size ] ) ) {
+			return new WP_Error(
+				'rest_upload_unknown_size',
+				__( 'Unknown image size.' ),
+				array( 'status' => 400 )
+			);
+		}
+
+		$size_data  = $registered_sizes[ $image_size ];
+		$max_width  = (int) $size_data['width'];
+		$max_height = (int) $size_data['height'];
+
+		// Dimensions must be positive.
+		if ( $width <= 0 || $height <= 0 ) {
+			return new WP_Error(
+				'rest_upload_invalid_dimensions',
+				__( 'Uploaded image must have positive dimensions.' ),
+				array( 'status' => 400 )
+			);
+		}
+
+		// Validate dimensions don't exceed the registered size maximums.
+		// Allow 1px tolerance for rounding differences.
+		$tolerance = 1;
+
+		if ( $max_width > 0 && $width > $max_width + $tolerance ) {
+			return new WP_Error(
+				'rest_upload_dimension_mismatch',
+				sprintf(
+					/* translators: 1: Image size name, 2: maximum width, 3: actual width. */
+					__( 'Uploaded image width (%3$d) exceeds maximum for "%1$s" size (%2$d).' ),
+					$image_size,
+					$max_width,
+					$width
+				),
+				array( 'status' => 400 )
+			);
+		}
+
+		if ( $max_height > 0 && $height > $max_height + $tolerance ) {
+			return new WP_Error(
+				'rest_upload_dimension_mismatch',
+				sprintf(
+					/* translators: 1: Image size name, 2: maximum height, 3: actual height. */
+					__( 'Uploaded image height (%3$d) exceeds maximum for "%1$s" size (%2$d).' ),
+					$image_size,
+					$max_height,
+					$height
+				),
+				array( 'status' => 400 )
+			);
+		}
+
+		return true;
+	}
+
 	/**
 	 * Side-loads a media file without creating a new attachment.
 	 *
@@ -2047,6 +2155,18 @@ public function sideload_item( WP_REST_Request $request ) {
 
 		$image_size = $request['image_size'];
 
+		$size = wp_getimagesize( $path );
+
+		// Validate dimensions match expected size.
+		if ( $size ) {
+			$validation = $this->validate_image_dimensions( $size[0], $size[1], $image_size, $attachment_id );
+			if ( is_wp_error( $validation ) ) {
+				// Clean up the uploaded file.
+				wp_delete_file( $path );
+				return $validation;
+			}
+		}
+
 		$metadata = wp_get_attachment_metadata( $attachment_id, true );
 
 		if ( ! $metadata ) {
@@ -2100,8 +2220,6 @@ public function sideload_item( WP_REST_Request $request ) {
 		} else {
 			$metadata['sizes'] = $metadata['sizes'] ?? array();
 
-			$size = wp_getimagesize( $path );
-
 			$metadata['sizes'][ $image_size ] = array(
 				'width'     => $size ? $size[0] : 0,
 				'height'    => $size ? $size[1] : 0,

tests/phpunit/tests/rest-api/rest-attachments-controller.php

@@ -3343,4 +3343,62 @@ public function test_sideload_scaled_unique_filename_conflict() {
 		$basename = wp_basename( $new_file );
 		$this->assertMatchesRegularExpression( '/canola-scaled-\d+\.jpg$/', $basename, 'Scaled filename should have numeric suffix when file conflicts with a different attachment.' );
 	}
+
+	/**
+	 * Tests that sideloading an oversized image for a registered size is rejected.
+	 *
+	 * @ticket 63
+	 * @requires function imagejpeg
+	 */
+	public function test_sideload_item_rejects_oversized_dimensions() {
+		wp_set_current_user( self::$author_id );
+
+		// Create an attachment.
+		$request = new WP_REST_Request( 'POST', '/wp/v2/media' );
+		$request->set_header( 'Content-Type', 'image/jpeg' );
+		$request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
+		$request->set_body( file_get_contents( self::$test_file ) );
+		$response      = rest_get_server()->dispatch( $request );
+		$attachment_id = $response->get_data()['id'];
+
+		// canola.jpg is 640x480, which exceeds the default thumbnail size (150x150).
+		$request = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/sideload" );
+		$request->set_header( 'Content-Type', 'image/jpeg' );
+		$request->set_header( 'Content-Disposition', 'attachment; filename=canola-150x150.jpg' );
+		$request->set_param( 'image_size', 'thumbnail' );
+		$request->set_body( file_get_contents( self::$test_file ) );
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertSame( 400, $response->get_status(), 'Oversized image should be rejected.' );
+		$this->assertSame( 'rest_upload_dimension_mismatch', $response->get_data()['code'], 'Error code should be rest_upload_dimension_mismatch.' );
+	}
+
+	/**
+	 * Tests that sideloading a correctly sized image for a registered size succeeds.
+	 *
+	 * @ticket 63
+	 * @requires function imagejpeg
+	 */
+	public function test_sideload_item_accepts_valid_dimensions() {
+		wp_set_current_user( self::$author_id );
+
+		// Create an attachment.
+		$request = new WP_REST_Request( 'POST', '/wp/v2/media' );
+		$request->set_header( 'Content-Type', 'image/jpeg' );
+		$request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
+		$request->set_body( file_get_contents( self::$test_file ) );
+		$response      = rest_get_server()->dispatch( $request );
+		$attachment_id = $response->get_data()['id'];
+
+		// test-image.jpg is 50x50, which fits within the default thumbnail size (150x150).
+		$test_image = DIR_TESTDATA . '/images/test-image.jpg';
+		$request    = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/sideload" );
+		$request->set_header( 'Content-Type', 'image/jpeg' );
+		$request->set_header( 'Content-Disposition', 'attachment; filename=canola-50x50.jpg' );
+		$request->set_param( 'image_size', 'thumbnail' );
+		$request->set_body( file_get_contents( $test_image ) );
+		$response = rest_get_server()->dispatch( $request );
+
+		$this->assertSame( 200, $response->get_status(), 'Valid-sized image should be accepted.' );
+	}
 }